The world wide web has allowed information to be easily exposed to anyone worldwide. Difficulties arise when one does not want the information to be accessible to the entire Internet community. The publisher of a document cannot easily define who should or should not have access to it. Various controls are deployable to add security and restrict access to a defined group of users, yet secured systems are generally isolated from each other, representing distinct groups of users. A user identity and password on one system will generally have no meaning on another system.
Information in one secured system is generally unavailable to the users of another secured system. This is often desirable. However, there are numerous examples where the converse is a core requirement. For instance, there may exist sensitive documents that should be available to the staff of an enterprise. Typically, these documents are only accessible by users of particular system on which they reside. Staff in other divisions or territories are not recognized by that system. Even less are third parties who should also have secure access to the documents. Such situations present a distinct security problem because users and/or resources are not within the same security authority. A common solution is to create an overarching system such as an intranet that centralizes data and users. Unfortunately this is an impracticable way to represent the numerous relationships that coexist between individuals, enterprises, an other entities.
The choice of email provider is an illustrative parallel. If communicants needed to be registered with the same provider to send and receive each others' messages, the technology would be of little relative worth. A person's choice of provider is not based on the individuals they might wish to communicate with. These are in any case dispersed across a profusion of other providers.
Users also migrate between service providers and have to relinquish their previous user identity. Email fails here, as email addresses are not transferable between domains. Generally, changing one's network location implies having to re-establish the basis of electronic relationships with other users if one's network identity is the basis of security permissions.
The distributed nature of the internet presents a distinct problem with regards to the management of users' access to each others' private data. Whereas technologies such as SSL/TLS, SSH, and IPSEC effectively manage secure one-to-one communication between authenticated systems, they do not address the problem of many-to-many access permissions. There are various approaches to this particular problem in the art. Typically, they involve a central entity acting as an authority over a network. This authority either authenticates user identities or acts as an endorser of identities as worthy of ‘trust’.
An example of a centralized authentication entity is the Kerberos system, (Kohl, J. and C. Neuman, “The Kerberos Network Authentication Service (V5)”, RFC 1510, 1993). Whilst this approach is applicable within a single organization, there are objections to its use across larger networks. Firstly, it is antithetical to the nature of the Internet, which owes its unbounded scalability to its highly decentralized structure. A technology whose value is dependant on a monopoly of its function suffers scalability problems and is an unstable solution as a network expands. Secondly, the namespace of user identities is necessarily owned by the central entity. This is problematic if one's network identity (and thus one's ability to access resources) is ultimately controlled by an entity to which one may not be accountable, or whom one does not desire as an intermediary.
Private Key Infrastructure (PKI) is an example of a central entity that acts to endorse user identities as worthy of ‘trust’. This is a useful tool for authentication, i.e. the binding of the real name or user name of an individual to a public key in a digital certificate. The endorsement of an authority is however only of value if the authority is trusted by the target system. This suggests the need for multiple authorities. The resulting burden of certificate management is unfortunately beyond the scope of most organizations or systems, particularly as PKI is a difficult model to successfully automate. Furthermore, PKI authorities endorse identities, not access rights. They cannot easily manage these rights or express them in a unified way for consumption by a diversity of target systems.
Approaches that address the problem of authentication without central authorities are Pretty Good Privacy (‘OpenPGP Message Format’, J. Callas, L. Donnerhacke, H. Finney, R. Thayer, RFC 2240, November 1998) and Simple Public Key Infrastructure (‘SPKI Certificate Theory’, C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, T. Ylonen, RFC 2693, September 1999). These approaches are compelling but administratively complex from the perspective of a user. The latter does allow the specification of authorization rights, but does not propose a single simple unified method for this. Particularly, it is important that an authorization right be understood by more than one system. Consider the case of a group of individuals who each wish to securely expose documents to each other. This should be feasible without knowledge of the nature of each others system.
If secure access rights are to be granted to a certain class of document, one would hope this permission could be specified independently of their actual location. For example, documents for consumption by senior staff should be generally classifiable as such, but not solely by virtue of their residence on a particular server. They may indeed exist in multiple locations. One should be able to relocate data to another system without affecting the permissions that other users may have to it. There exist in the art approaches to the separation of document identifiers from their locations. The Handle System (“Handle System Protocol v2.0 Specification”. S. Sun, S. Reilly, L. Lannom, J. Shi, IETF Internet Draft, April 2001) provides a way of resolving a location independent document identifier into its network location. These initiatives ultimately rely on central services which are subject to the scalability issues already mentioned, and are not designed to address intra-user security issues.
When conceiving a distributed network of users and their private data, the systems in the prior art have inherent problems when faced with the combined requirements that: (1) it be a centerless network, (2) access to data may be restricted to specific users, (3) such users may be hosted anywhere else in the network, (4) user identities are not tied to their current choice of service provider, (5) access rights be specified without reference to data or user location, and (6) access rights be simple to administer by the users themselves. Therefore, an improved system and method are needed to enable effective operation within these common requirements. In particular, the present invention is a system that inherently fulfills all the foregoing requirements.